MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Voice Message from Unknown (785-553-4447)”
This email is send from the spoofed address “”Administrator <firstname.lastname@example.org>”and has the following body:
– – -Original Message- – –
Sent: Wed, 23 Oct 2013 07:25:07 -0700
Subject: Important: to all Employees
Note that the cell phone number in the subject and body of the message may vary. The xxx is replaced by the recipient domain in the message.
The attached ZIP file has the name VoiceMessage.zip and contains the 27 kB large file VoiceMessage.exe.
The trojan is known as Gen:Variant.Kazy.254763 (B), Trojan-Downloader, Artemis!535109E4902D or UDS:DangerousObject.Multi.Generic.
This trojan can produce outbound traffic and download other files over the internet. A new process hhcbrnaff.exe is created and a connection on port 443 with the host is created glyphs-design.com.
At the time of writing, 9 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 4d1f10d965fb352617ed1e33491f74d2519304bbc97916e18a014d4481c29f65.
Malwr permalink and SHA256: